Electronic CIPHER, Issue 175, September 24, 2023 _/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ============================================================================ Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 175 September 24, 2023 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Sven Dietrich Yong Guan Book Review Editor Calendar Editor cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org ============================================================================ The newsletter is also at http://www.ieee-security.org/cipher.html Cipher is published 6 times per year Contents: * Letter from the Editor * Commentary and Opinion and News o Sven Dietrich's review of "Protocols, Strands, and Logic" by Daniel Dougherty, Jose Meseguer, Sebastian Alexander Moedersheim, and Paul Rowe (Eds.) o News items - Dormant Chinese Malware Causes Concern - Air Force Comms for the Home - IT Support from Russia? Just Say No - North Korea's Long Infosec Arm - Teslas Made Cozy for Free via Side Channel Attacks - MOVEit Hack Keeps on Movin' - Cyber Intruders Might Flip the Switch - Just Blast that Pass - Hacks in Vegas Ruin Stays in Vegas - North Korean Cravings for Crypto Currency - Debugging Considered Harmful - The Unending End-to-End Battle o Book reviews, Conference Reports and Commentary and News items from past Cipher issues are available at the Cipher website * List of Computer Security Academic Positions, by Cynthia Irvine * Conference and Workshop Announcements See https://ieee-security.org/Calendar/cipher-hypercalendar.html and https://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html * Staying in Touch o Information for subscribers and contributors o Recent address changes * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: Some of the recent news about cyberattacks on US resources by foreign states are startling in the level of sophistication revealed in their discovery. Some of these are well-engineered systems, achieving clandestine residency for months if not years. It seems impossible to achieve security perfection in the software industry, and any chink in security seems to be exploited thoroughly. Some days it feels like if the hackers don't get you then a solar flare will. I'm keeping my abacus. The leaves of autumn are falling as fast as the pages of research being prepared for conference submissions. The usual "write/travel" pulse of the research year has already been stretched out by the move to continuous submission deadlines, but more change may be afoot. There is much discussion of changing the conference model so that authors might not be required to present a paper in-person. There certainly are problems in scaling a conference up by a factor of ten more more in terms of papers and attendees, but it is difficult to make a strategic decision that changes the conference model away from author presentations. Attendees, students, researchers, publishers, and funding agencies need to come together to improve and expand the conferences. I Saw in the Core Dump Ooh-ooh, I bet you're wondering how I knew 'Bout your missiles through and through From some other password you used before And crypto keys from days of yore You know I've got them all and more. It took me by surprise, I must say When I found out yesterday Don't you know that [Chorus] I saw it in the core dump Your missile plans that made me jump, Oh, I saw it in the core dump, Oh, I'm just about to lose my mind Honey, honey, yeah (Saw it in the core dump, not much longer would you be my ally) [Homage to the great Marvin Gaye] Hilarie Orman cipher-editor @ ieee-security.org ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at http://www.ieee-security.org/Cipher/ConfReports.html ____________________________________________________________________ Book Review By Sven Dietrich 9/23/2023 ____________________________________________________________________ Protocols, Strands, and Logic by Daniel Dougherty, Jose Meseguer, Sebastian Alexander Moedersheim, and Paul Rowe (Eds.) Springer Verlag 2021. ISBN ISBN 978-3-030-91630-5 (Softcover), ISBN 978-3-030-91631-2 (eBook) Festschrift, LNCS 13066; 425 pages When designing secure systems, electronic commerce, Internet of Things, social media, smart homes, industrial control systems, and distributed systems overall call for security protocols, often also called cryptographic protocols, to secure the exchanges between the network nodes. This Festschrift is a set of 23 essays dedicated to Joshua Guttman's 66.66th birthday. Granted, this book was published in December 2021, but aren't we all playing catchup in this post-pandemic era? It is still timely today. The editors of this Festschrift collected 23 essays from authors in the field of formal methods for protocol analysis, an area that has been touched upon in this set of book reviews a few times. For those who are interested and new in the field, I urge you to pick up those other books as a basic introduction, if need be. Spread over 425 pages with 65 black and white illustrations and with a preface by the editors, this book provides access to a higher ground in this field of formal methods. The authors who wrote these essays are themselves in the right position to comment on Joshua Guttman's contributions, which include the concept of "Strand Spaces" for protocol analysis. Of course this field is close to my heart. What does it mean that a protocol is secure? How do we express it? What concepts are needed to describe the minute differences that shield the information from the attackers, the evil adversaries Eve and Mallory that intrude upon Alice and Bob? What granularity is needed to express the security guarantees, the lack thereof, the attacks that have already been performed, and the ones we will discover tomorrow? These 23 essays are self-contained contributions, as an homage to Joshua Guttman, that describe how influential his work has been, but also where the work went to next. Applications to modern concepts, such as smart home environments called Node-RED, blockchain, security domains, prototyping formal method tools, value of privacy in federated data trading, are represented here. For those who are familiar with the field, these are delightful departures into new corners. And for those who are new to the field, perhaps this is a motivation to delve deeper into an area that brings together a few disciplines to make things work just right. I remember walking down the aisles of a bookshop in the DC area with some of these experts mentioned here, picking up various mathematics books off the shelves that illustrated some basic concepts needed to perform various forms of protocol analysis. Each essay is, as previously mentioned, self-contained and has its own bibliography, so one can enjoy each one of them as a "bonbon," e.g. to savor as your bedtime reading. While they are anything but introductory, these essays do provide explorations of the field of protocol analysis, a thorough checkup of the primitives that make up the building blocks of our "secure systems" we create today. One such essay I will highlight: Sylvan Pinsky's reference to Joshua Guttman's pioneering of strand spaces, which allowed showing whether security protocols are correct, is an homage to his work. Another essay talks about explaining security protocols to your children. There is an essay for everyone in this collection. Overall I liked reading this collection of essays: the curation by the four editors, assembling these works from knowledgeable contributors in this protocol analysis field, is different from simply picking a few papers and stapling them together. Joshua Guttman, someone I had the pleasure of meeting many years ago at the Protocol Exchange meetings in the DC area, sometimes held at the National Cryptologic Museum right outside of "The Agency," as a few call the National Security Agency, deserves all the credit he gets in this Festschrift. It shows the impact Joshua Guttman has made, the inspirations he has created and continues to make. I hope you will enjoy reading this Festschrift as much as I did. My copy will find its permanent space on my bookshelf. -------------------------- Sven Dietrich reviews technology and security books for IEEE Cipher. He welcomes your thoughts at spock at ieee dot org ==================================================================== News Briefs ==================================================================== News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html ------------------------------------------------------------------------------ Dormant Chinese Malware Causes Concern U.S. Hunts Chinese Malware That Could Disrupt American Military Operations https://www.nytimes.com/2023/07/29/us/politics/china-malware-us-military-bases-taiwan.html Publisher: New York Times Date: July 29, 2023 By: David E. Sanger and Julian E. Barnes AND https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/ Volt Typhoon targets US critical infrastructure with living-off-the-land techniques Publisher: Microsoft Security Date: May 24, 2023 Summary: The Biden administration has started to discuss the widespread presence of a piece of malware with "some state governors and utility companies." The malware is so far benign, simply spreading and probing affected sites. It has been lurking around, notably at a military base in Guam, for a year or more. Microsoft identifies, with "moderate confidence", the Chinese group Volt Typhoon as the originator of the deeply surreptitious malware. Its purpose is unknown, but there is suspicion that it could be activated to disrupt communications between the US and Asia at some point of tension. The malware enters systems through Fortinet FortiGuard devices, and from there uses a wide variety of methods to entrench itself in routers and other edge devices. It gathers credentials for infrastructure and keeps data in encoded files. At this time the extent of its footprint is unknown. ------------------------------------------------------------------------------ Air Force Comms for the Home Air Force contractor charged with soliciting minor, stealing gear https://www.airforcetimes.comews/your-air-force/2023/08/04/air-force-contractor-charged-with-soliciting-minor-stealing-gear/ Publisher: Air Force Times Date: Aug 4, 2023 By: Rachel S. Cohen Summary: An engineering contractor for Arnold Air Force Base (AAFB) in Tennessee caused consternation when it was discovered that he had taken a great deal of radio equipment and restricted communications data to his home. There, he set up his own system to run "the entire AAFB communications system". He also had data for local law enforcement radio programming. He had the capability of eavesdropping on Air Force, local FBI, and Tennessee Valley Authority communications. The motive seemed to be hubris rather than espionage, but the extent the home system was surprising. A few dozen USB and hard drives had been used to copy all the relevant information for the base's radio systems. ------------------------------------------------------------------------------ IT Support from Russia? Just Say No Microsoft says Russia-linked hackers behind dozens of Teams phishing attacks https://www.reuters.com/technology/microsoft-says-russia-linked-hackers-behind-dozens-teams-phishing-attacks-2023-08-03 Publisher: Reuters Date: August 2, 2023 By: Zeba Siddiqui Summary: Midnight Blizzard or APT29, is a hacking organization that carefully chooses high value targets, particularly "government, non-government organizations (NGOs), IT services, technology, discrete manufacturing, and media sectors." Its latest exploits have been phishing attempts originating from domains that mimic Microsoft IT support sites. The phishing chat conversation urges users of Microsoft TEAMS to approve multifactor authentication prompts. Fewer than 40 organizations have been targeted, and Microsoft has taken steps to recognize and avoid the fraudulent domains. Nonetheless, users need to stay alert to these attempts, lest they open their organizations to document theft. ------------------------------------------------------------------------------ North Korea's Long Infosec Arm Comrades in Arms? | North Korea Compromises Sanctioned Russian Missile Engineering Company https://www.sentinelone.com/labs/comrades-in-arms-north-korea-compromises-sanctioned-russian-missile-engineering-company/ Publisher: Sentinel One Date: August 7, 2023 By: Tom Hegel and Aleksandar Milenkoski Summary: Infosec specialists at SentinelOne Labs say they were looking into North Korea's missile system development (through "our usual hunting and tracking" when they came across some interesting emails showing that North Korea is able to penetrate Russian cyberstrucure. The North Korean exploit went undetected for several months as they crawled through the cyberspace of the Russian missile manufacturer NPO Mashinostroyeniya. The exploit used by North Korea was based on a version of "OpenCarrot Windows OS backdoor", used by the "Scarcruft threat actor". Through this they gained access to the target's email server. SentinelOne Labs found the exfiltrated email files in the North Korean infrastructure. The emails show that the missile manufacturer identified the intrusions and took steps to shut it down in May of 2022. The report by SentinelOne Labs mentions other interesting mechanisms of the exploit. They were aided in their investigation by what they perceived of sloppiness by the North Koreans in not sufficiently hiding their exploits, but they also mention the danger posed by the "convergence of North Korean cyber threat actors". ------------------------------------------------------------------------------ Teslas Made Cozy for Free via Side Channel Attacks Unpatchable AMD Chip Flaw Unlocks Paid Tesla Feature Upgrades https://www.tomshardware.comews/tesla-mcu-amd-asp-flaw-jailbreak Sorry Elon, but this appears to be unpatchable. Publisher: tomsHardware Date: August 7, 2023 By: Brandon Hill Summary: Teslas internal controls run on Linux and Linux runs on chips that have a Trusted Processing Module. That sounds really secure, but if one has physical access to the chip, one can apply a voltage glitch and bypass all the cryptographic security. It turns out that there are paywalled features of the cars that can be unlocked once the unfettered access to Linux is opened, one of those features being meant for passenger comfort in cold weather. For more detail, see the BlackHat presentation: https://www.blackhat.com/us-23/briefings/schedule/index.html#jailbreaking-an-electric-vehicle-in--or-what-it-means-to-hotwire-teslas-x-based-seat-heater-33049 Jailbreaking an Electric Vehicle in 2023 or What It Means to Hotwire Tesla's x86-Based Seat Heater by Christian Werling, Niclas Kuhnapfel, Hans Niklas Jacob (PhD Students TU Berlin), and Oleg Drokin, Security Researcher, ------------------------------------------------------------------------------ MOVEit Hack Keeps on Movin' MOVEit hack spawned around 600 breaches but isn't done yet - cyber analysts https://www.reuters.com/technology/moveit-hack-spawned-around-600-breaches-isnt-done-yet-cyber-analysts-2023-08-08/ Publisher: Reuters Date: August 8, 2023 By: Raphael Satter and Zeba Siddiqui Summary: We previously (last July) reported on the ransomware exploit against a widely used file transfer app MOVEit. At that time, the number of sites thought to be affected was small, and a patch was immediately available. In the interim, as many as 40 million people have had their privacy compromised, and the number of businesses affected is 600 and growing. The intruders have been able to get the private data of many clients of the breached systems: driver's license info, pensioners data, etc. Some experts feel that the implications of these disclosures will have rippling effects for some long time to come. ------------------------------------------------------------------------------ Cyber Intruders Might Flip the Switch Data centers at risk due to flaws in power management software https://cyberscoop.com/def-con-data-center-vulnerability/ Bugs found by Trellix researchers could allow for malicious hackers to gain access to sensitive sites like data centers. Publisher: CyberScoop Date: August 14, 2023 By: Christian Vasquez Summary: At a recent DEFCON researchers from Trellix revealed how vulnerable data centers can be to network-based instrusions. While the individual server security might be stellar, the power management for the facility sometimes can be accessed without proper authentication, due to software flaws. This gives intruders the ability to turn individual computers off or on, and such a level of control might enable installation of malware onto the machines. The vulnerable software identified by Trellix has been patched. It has been long known that control software often derives from systems of yore that did not have strong security controls. The weaknesses return to haunt high-tech today. ------------------------------------------------------------------------------ Just Blast that Pass BLASTPASS NSO Group iPhone Zero-Click, Zero-Day Exploit Captured in the Wild https://citizenlab.ca/2023/09/blastpass-nso-group-iphone-zero-click-zero-day-exploit-captured-in-the-wild/ Publisher: CitizenLab Date: September 7, 2023 Summary: Apple has developer tools for creating secure credentials for "passes" of various kinds, e.g. special promotions, event tickets, boarding passes. These can be put into Apple wallets and read through scanners. It sounds very useful and very secure, except that someone found a way to use it to install spyware: the notorious "NSO Group's Pegasus mercenary spyware" This zero-day exploit was uncovered during a check of an iPhone belonging to an NGO employee. The vulnerability was particularly concerning because it required to action on the part of a victim other than receiving an iMessage with an image. Apple has issued two CVEs addressing the problem. They note that "Lockdown Mode" will protect against the spyware. Lockdown Mode is for people who fear being "personally targeted by some of the most sophisticated digital threats." ------------------------------------------------------------------------------ Hacks in Vegas Ruin Stays in Vegas MGM Resorts says cyberattack could have material effect on company https://www.cnbc.com/2023/09/13/mgm-resorts-cyberattack-and-outage-stretches-into-third-day.html Publisher: CNBC Date: Sep 13, 2023 By: Rohan Goswami Summary: The fun and glitz of Las Vegas can pale if the gaming machines don't work and you can't get into your hotel room. Due to a cyberattack, visitors to MGM resorts have been experiencing these issues and others. In an SEC filing, the company revealed that they expect revenue losses from the ongoing problems. Another regulatory filing about losses due to cyberhacks was given by the Clorox company. Their recovery from the attacks affected production, and at the current time they are filling orders with manual processes. See the CNN article from September 18: Clorox products in short supply after cyberattack disrupts operations https://www.cnn.com/2023/09/18/business/clorox-cyberattack-production-disruption/index.html ------------------------------------------------------------------------------ North Korean Cravings for Crypto Currency Blockchain analysts suspect North Korea-linked hackers behind $70 million crypto theft https://www.reuters.com/technology/blockchain-analysts-suspect-n-korea-linked-hackers-behind-70m-crypto-theft-2023-09-15/ Publisher: Reuters Date: September 15, 2023 By: Elizabeth Howcroft and Raphael Satter Summary: The crypto currency exchange CoinEx announced that it had lost a small portion of its assets due to hacking of its crypto wallets. The $70 million dollars may have be stolen by the Lazarus group, which has ties to North Korea. The blockchain analytics firm Elliptic said that the CoinEx heist followed the same pattern as four recent cryptocurrency thefts, and they believe that the Lazarus group was behind them all. Their analysis is here: https://www.elliptic.co/blog/how-the-lazarus-group-is-stepping-up-crypto-hacks-and-changing-its-tactics ------------------------------------------------------------------------------ Debugging Considered Harmful Microsoft finally explains cause of Azure breach: An engineer's account was hacked https://arstechnica.com/security/2023/09/hack-of-a-microsoft-corporate-account-led-to-azure-breach-by-chinese-hackers/ Other failures along the way included a signing key improperly appearing in a crash dump. Publisher: Ars Technica Date: Sept 6, 2023 By: Dan Goodin Summary: Microsoft has explained several critical failures that led to the compromise of the email accounts of several carefully chosen Exchange users, including some in the US Department of Justice. The notable oversight was a core dump that included a signing key; the core dump was given to an engineer who worked on it in a facility that had less security than Microsoft normally insists on for sensitive security information. The engineer's account had been hacked by a Chinese actor known as Storm-0558. Normally, signing keys are excised from core dumps, but Microsoft said that a "race condition" had prevented that action, and the engineers were unaware of the disclosed key. The organization that obtained the core dump from the engineer's corporate account somehow spotted the key and made use of it for creating unauthorized credentials for accessing accounts. There was another problem that was exploited as part of the wider and targeted breach of Exchange accounts. Somehow the developers of the mail system and the developers of an API for cryptographic validation of keys got their wires crossed, resulting in a situation in which each group thought the other was doing the validation. Oops. ------------------------------------------------------------------------------ The Unending End-to-End Battle UK Online Safety Bill to become law – and encryption busting clause is still there https://www.theregister.com/2023/09/20/uk_online_safety_bill_passes/ Admits it's 'not technically feasible' ... but with no promise not to invoke it Publisher: The Register Date: Sep 20, 2023 By: Lindsday Clark Summary: The UK Parliament passed a sweeping bill aimed at private communications services. The bill is intended to "tackle child sexual exploitation and abuse content", but the requirement for possibly scanning encrypted user messages and files has privacy experts concerned. The bill allows the government's communication regulator, Ofcom, to order a messaging service to scan messages for harmful content, even if the service provides "end-to-end" encryption. Some providers have said that they will stop offering products in the UK because from a purely technical viewpoint, end-to-end encryption and scanning cannot be combined. The parliament sought some middle ground in saying that the scanning would only be used as a last resort, but that does not address the impossibility of the requirement. ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== http://cisr.nps.edu/jobscipher.html -------------- This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== Conference and Workshop Announcements ==================================================================== The complete Cipher Calls-for-Papers is located at http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html The Cipher event Calendar is at http://www.ieee-security.org/Calendar/cipher-hypercalendar.html Requests for inclusion in the list should sent per instructions: http://www.ieee-security.org/Calendar/submitting.html ____________________________________________________________________ Cipher Event Calendar ____________________________________________________________________ Online calendar of Security and Privacy Related Events maintained by Hilarie Orman, CFP list maintained by Yong Guan Date (Month/Day/Year), Event, Locations, web page for more info. ICBC 2023 International Conference on Blockchain, Honolulu, Hawaii, USA, September 23 - 26, 2023. http://blockchain1000.org/2023 ESORICS 2023 28th European Symposium on Research in Computer Security, Hague, Netherlands, September 25-29, 2023. https://esorics2023.org CLPSC 2023 3rd Annual Cybersecurity Law and Policy Scholars Conference, Boston, MA, USA, September 29-30, 2023. https://www.clpsc.org/ CSF 2024 37th IEEE Computer Security Foundations Symposium, Enschede, Netherlands, July 8-12, 2024. https://csf2024.ieee-security.org Submission dates: 15 May 2023, 30 September 2023 and 3 February 2024 CNS 2023 11th annual IEEE Conference on Communications and Network Security, Orlando, FL, USA, October 2-5, 2023. https://cns2023.ieee-cns.org/ MarCaS 2023 1st IEEE LCN Workshop on Maritime Communication and Security, Held in conjunction with the 48th Annual IEEE Conference on Local Computer Networks (IEEE LCN 2023), Daytona Beach, Florida, USA, October 2-5, 2023. https://garykessler.net/lcn_marcas/ ICN 2023 10th ACM Conference on Information Centric Networking, Reykjavik, Iceland, October 8-10, 2023. https://conferences.sigcomm.org/acm-icn/2023 IFIP 11.9 DF 2023 20th Annual IFIP WG 11.9 International Conference on Digital Forensics, New Delhi, India, January 4-5, 2024. http://www.ifip119.org Submission date: 15 October 2023 RAID 2023 26th International Symposium on Research in Attacks, Intrusions and Defenses, Hong Kong, October 16-18, 2023. https://raid2023.org/call.html USENIX Security 2024 33rd USENIX Security Symposium, Philadelphia, PA, USA, August 14-16, 2024. https://www.usenix.org/conference/usenixsecurity24 Submission dates: 6 June 2023, 17 October 2023, and 8 February 2024 SecDev 2023 IEEE Secure Development Conference, Atlanta, GA, USA, October 18-20, 2023. https://secdev.ieee.org/2023/home CANS 2023 22nd International Conference on Cryptology and Network Security, Augusta, Georgia, USA, October 31 - November 2, 2023. https://www.augusta.edu/ccs/conferences/cans2023/index.php TPS 2023 IEEE International Conference on Trust, Privacy and Security in Intelligent systems, and Applications, Atlanta, GA, USA, November 1-3, 2023. http://www.sis.pitt.edu/lersais/conference/tps/2023/calls.html UbiSec 2023 3rd International Conference on Ubiquitous Security, Exeter, UK, November 1-3, 2023. https://hpcn.exeter.ac.uk/ubisec2023/ TrustCom 2023 22nd IEEE International Conference on Trust, Security and Privacy in Computing and Communications, Exeter, UK, November 1-3, 2023. https://hpcn.exeter.ac.uk/trustcom2023/ eCrime 2023 18th APWG Symposium on Electronic Crime Research 2023, Barcelona, Spain, November 15-17, 2023. https://apwg.org/event/ecrime2023/ C&ESAR 2023 Cybersecurity of Smart Peripheral Devices (Mobiles / IoT / Edge), Rennes, France, November 21-22, 2023. https://2023.cesar-conference.org CCS 2023 30th ACM Conference on Computer and Communications Security, Copenhagen, Denmark, November 26-30, 2023. https://www.sigsac.org/ccs/CCS2023/index.html PETS 2024 24th Privacy Enhancing Technologies Symposium, Bristol, UK and Online, July 15-20, 2024. https://petsymposium.org/cfp24.php Submission dates: 31 May 2023, 31 August 2023, 30 November 2023, and 28 February 2024 SP 2024 45th IEEE Symposium on Security and Privacy, San Francisco, CA, USA, May 20-23, 2024. https://sp2024.ieee-security.org/cfpapers.html Submission dates: 13 April 2023, 3 August 2023, and 6 December 2023 ASIACCS 2024 19th ACM ASIA Conference on Computer and Communications Security, Singapore, July 1-5, 2024. https://asiaccs2024.sutd.edu.sg/cfp/ Submission dates: 21 August 2023 and 7 December 2023 ACSAC 2023 Annual Computer Security Applications Conference, Austin, Texas, USA, December 4-8, 2023. https://www.acsac.org/2023/submissions/papers/ FPS 2023 16th Foundations & Practice of Security Symposium, Bordeaux, France, December 11-13, 2023. https://www.fps-2023.com/ ICISS 2023 19th International Conference on Information Systems Security, NIT Raipur, India, December 16-20, 2023. https://iciss.isrdc.in IEEE Blockchain 2023 IEEE International Conference on Blockchain, Ocean Flower Island, Hainan, China, December 17-21, 2023. https://ieee-cybermatics.org/2023/blockchain/ CODASPY 2024 14th ACM Conference on Data and Application Security and Privacy, Porto, Portugal, June 19-21, 2024. https://ieee-cybermatics.org/2023/blockchain/ Submission date: 18 December 2023 eDemocracy and Open Government (JeDEM), Special Issue on Digital Sovereignty - Interdisciplinary insights into digital technology and infrastructure, information privacy and digital security. https://www.jedem.org/index.php/jedem/announcement/view/61 Submission date: 31 December 2023 IFIP 11.9 DF 2023 20th Annual IFIP WG 11.9 International Conference on Digital Forensics, New Delhi, India, January 4-5, 2024. http://www.ifip119.org CSF 2024 37th IEEE Computer Security Foundations Symposium, Enschede, Netherlands, July 8-12, 2024. https://csf2024.ieee-security.org Submission dates: 15 May 2023, 30 September 2023 and 3 February 2024 USENIX Security 2024 33rd USENIX Security Symposium, Philadelphia, PA, USA, August 14-16, 2024. https://www.usenix.org/conference/usenixsecurity24 Submission dates: 6 June 2023, 17 October 2023, and 8 February 2024 NDSS 2024 Network and Distributed System Security Symposium, San Diego, California, uSA, February 26 - March 1, 2024. https://www.ndss-symposium.org/ndss2024/ FC 2024 28th International Conference on Financial Cryptography and Data Security, Willemstad, Curacao, March 4-8, 2024. https://fc24.ifca.ai/cfp.html PETS 2024 24th Privacy Enhancing Technologies Symposium, Bristol, UK and Online, July 15-20, 2024. https://petsymposium.org/cfp24.php Submission dates: 31 May 2023, 31 August 2023, 30 November 2023, and 28 February 2024 SP 2024 45th IEEE Symposium on Security and Privacy, San Francisco, CA, USA, May 20-23, 2024. https://sp2024.ieee-security.org/cfpapers.html CODASPY 2024 14th ACM Conference on Data and Application Security and Privacy, Porto, Portugal, June 19-21, 2024. http://www.codaspy.org/2024/ ASIACCS 2024 19th ACM ASIA Conference on Computer and Communications Security, Singapore, July 1-5, 2024. https://asiaccs2024.sutd.edu.sg/cfp/ CSF 2024 37th IEEE Computer Security Foundations Symposium, Enschede, Netherlands, July 8-12, 2024. https://csf2024.ieee-security.org PETS 2024 24th Privacy Enhancing Technologies Symposium, Bristol, UK and Online, July 15-20, 2024. https://petsymposium.org/cfp24.php USENIX Security 2024 33rd USENIX Security Symposium, Philadelphia, PA, USA, August 14-16, 2024. https://www.usenix.org/conference/usenixsecurity24 ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or "unsubscribe postcard" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html _____________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy _____________________________________________________________________ You may easily join the TC on Security & Privacy (or other TCs) by completing the on-line form at IEEE at https://www.computer.org/web/tandc/technical-committees ______________________________________________________________________ TC Conference Publications Online ______________________________________________________________________ The proceedings of previous conferences are available from the Computer Society's Digital Library. IEEE Security and Privacy Symposium IEEE Computer Security Foundations IEEE European Security and Privacy Symposium From 2012 onward, these are available without charge from the digital library 12 months after the conference. ____________________________________________________________________________ TC Officers ____________________________________________________________________________ Chair: Security and Privacy Symposium Chair Emeritus: Gabriela Ciocarlie Daniel Takabi Associate Professor Associate Professor University of Texas at Georgia State University San Antonio https://cas.gsu.edu/profile/daniel-takabi tcchair at ieee-security.org Vice Chair: Treasurer: Thorsten Holtz Yong Guan Faculty Member Professor CISPA Helmholtz Center for Department of Electrical and Computer Information Security Engineering tcchair at ieee-security.org Iowa State University, Ames, IA 50011 treasurer@ieee-security.org Newsletter Editor: Security and Privacy Symposium, 2024 Chair: Hilarie Orman Trent Jaeger Purple Streak, Inc. Associate Professor 500 S. Maple Dr. Pennsylvania State University Woodland Hills, UT 84653 https://www.cse.psu.edu/~trj1/ cipher-editor@ieee-security.org sp24-chair@ieee-security.org TC Awards Chair: Tegan Brennan Assistant Professor Stevens Institute of Technology tbrenna5 at stevens.edu ____________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html Cipher is published 6 times per year --=====================_purplestreak_932242421235479791===--